W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: [SRI] Requiring CORS for SRI

From: Francois Marier <francois@mozilla.com>
Date: Thu, 07 May 2015 18:17:18 +1200
Message-ID: <554B036E.7080303@mozilla.com>
To: public-webappsec@w3.org
On 07/05/15 06:17, Tanvi Vyas wrote:
> Requiring CORS is an unfortunate constraint because web developers
> cannot use SRI on all the third-party javascript embedded on their
> page.  They have to reach out to each third-party and ask that they set
> the CORS header.

Thanks for raising this Tanvi. I'm also worried about the impact that
this will have on adoption.

Your solution is interesting and so is Mike West's suggestion to remove
cookies and auth (https://github.com/w3c/webappsec/issues/338).

At the very least, we should ensure that this requirement is specified
in such a way that we can remove it in the future without older clients
blocking these sub-resources.

Received on Thursday, 7 May 2015 06:17:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC